The present invention relates to the field of identity provisioning and usage over information networks. The scope traverses identity, credentials, credentialing, also known as identity provisioning, identity assurance, security, privacy, confidentiality, authentication, encryption, and identity management. To assist interpreting the field and scope, a glossary of terms relating to this field is provided as well figures and a list of reference numerals. To ensure personal privacy while provisioning reliable identities for citizens and consumers, the specification, handling and deployment of personal identities needs to be modernized. To date, the provisioning of identities and credentials have been primarily the prevue of web service providers. For identity and credentialing to scale up and become significantly more trusted than existing schemes, individual persons must become increasingly engaged in vetting the identities of other persons and the issuing of credentials to them. Credential owners must be able to reliably and safely control their identities, and unauthorized persons should not be able to fraudulently use the identities of others.
In the real world, physical credentials such as driver's licenses and passports attesting to the identity of the holder are primarily issued by governments, banks, employers, and other types of organizations. Notably, the agents and HR departments of such organizations perform most of the necessary vetting and proofing procedures prior to credential issuance. Physical credentials are rarely issued by individuals to other individuals. However, notaries can issue certified true copies of documents to individuals, and professional engineers, doctors and other professionals can certify true copies of personal identifying information (e.g. passport applications).
Over the Internet, prior art Public Key Infrastructure (PKI), a hierarchical trust model, is the predominant identity provisioning scheme by which identities, in the form of digital certificates, are distributed electronically to enterprises—rarely to individuals. Another technology, Pretty Good Privacy (PGP), a web-of-trust model focused on the identity needs of individuals, employs digital certificates to enable secure communications among personal computers. PGP has enjoyed limited market penetration and was not specified to integrate with PKI. The escalating problems of electronic identity theft and fraud have not been solved by either of these technologies. The present invention significantly improves upon prior art PKI and PGP technologies.
E-fraud is perpetrated over information networks, such as the Internet and cellular networks, by way of identity theft, identity abuse, electronic stalking, spamming, advertising abuse, obfuscation, phishing and deception. Service providers and enterprise systems have been rapidly losing ground in their battle against web-based identity abuse and e-fraud, mainly because today's identity providers and technologies are not able to deliver identities to individuals that can only be readily used by the identity owner. As the Internet continues to grow rapidly in both size and complexity, the providers of web services and end-user computing devices are increasingly hard-pressed to keep up with the escalating breaches, compromised identities, and fraudulent activities—all widely reported across the web.
The essential difficulty in the field of electronic identity is that communicating parties are often unknown to each other, yet they need to conduct transactions with each other as if they were meeting face-to-face. In most circumstances today, a web user as well as a web server cannot be really sure who they are communicating with. Users may wonder if the web site they are visiting is bogus; if their service provider has been properly protecting their accounts and credit cards; if a virus or Trojan software is collecting their private information; or if a blog post is from an imposter or a stalker. The user is obliged to rely on legacy technologies that may be defective, poorly configured, and poorly administered.
For example, account/password authentication schemes are known to be vulnerable to compromise enabling user masquerade (spoofing), denial-of-service, and other abuses. The problems of users and servers managing multiple passwords, re-used passwords, weak passwords, and password resets are widely known. Furthermore, successful access into a system with account/password login only proves that the holder of the account has knowledge of the password; it does not validate the identity of the person knowing the password.
For remote parties to collaborate safely over the web, they need to be able to reliably authenticate each other over a communications channel that cannot be sniffed (read) or tampered with. In other words, they need to be strongly bound to each other across every hop from origination to destination (“end-to-end”).
Single sign-on (SSO) and federated identity frameworks and technologies have addressed some of the challenges of enrolling users, specifying accounts and permissions, containing password proliferation, and managing user passwords. However, the structures for specifying user identities are fragmented, the methods for defining and issuing them are ad hoc, and effective credential interoperability does not exist at this time.
A wide variety of biometric technologies have emerged over the years and have been integrated into personal computers, smart phones, smart cards and various types of security tokens. Digital certificates have also been deployed on smart card technologies and USB thumb drives. Notably, FIPS PUB 201-2 [1] for Personal Identity Verification (PIV) specifies a smart-card based identity card and related systems deployed by the U.S. Federal government.
The approach taken herein leverages selected aspects of prior art identity technologies and emulates identity issuance and usage in the physical world. Such an approach can be expected to facilitate adoption. Consider a driver's license. Such a credential bears the name and selected attributes of the owner, a photograph, the owner's signature, and certain endorsements and restrictions. After “proofing” the applicant against provided identifying information, the agent issues the license to the applicant. When used, the license attests to the owner's identity which the issuer cannot easily repudiate. If the license is borrowed or stolen and subsequently presented by someone other than the owner, the photograph and signature can be used by others to detect fraudulent use.
The present invention follows a similar process employing “personal identity devices”. A wide range of electronic credentials can be specified therein such that they are information-wise equivalent to civil and consumer credentials such as driver's licenses, bank cards, employee IDs, and even business cards. Users, some of whom may be agents of identity provisioning services, are able to collaborate and securely exchange electronic identities that have been proofed and attested to by other users (issuers). The issuer's identity is cryptographically bound to the owner's electronic identity preventing the issuer from repudiating their attestation thereby elevating assurances for 3rd parties. The personal identity device also leverages user authentication data to bind the user to their electronic identities. These features combine to elevate privacy, prevent identity tampering, and prevent others from using electronic credentials to masquerade as the identity owner.
The present invention specifies an electronic identity and credentialing system that combines and adapts prior art to achieve the following distinct features and capabilities:                Mimics identities and credentialing as practiced in the physical world to facilitate adoption;        Leverages growing population of consumers owning personal devices to create personal identity devices;        Enables personal identity device owners to specify, control, proof, attest to, issue, and use their identities for assured collaboration among themselves and secure web access;        Persistently binds owners to their identity devices, and hence their identities (e-credentials) and associated secrets (e.g. private keys and biometric minutia), by controlling local user authentication data;Combines and adapts prior art, preventing 3rd party masquerade, such that only a personal identity device owner can employ one of their identities (E-credentials of an owner can be provided to other parties, however, these other parties cannot use them to execute designated privileged operations).        To execute privileged operations that ensure:                    Messages, digitally signed under the owner's e-credential, were originated by that same owner;            Only the owner can read messages encrypted employing an e-credential of the owner;            Artifacts digitally sealed under the owner's e-credential must have been affixed by the owner (An e-credential owner cannot repudiate having applied their e-credential to digitally sign a message);                        Another user, having received a copy of an owner's e-credential, can challenge a user claiming to be that owner, thereby obtaining assurances that the provided e-credential actually represents the claimed owner;        Owners of personal identity devices can use their e-credentials in concert with the e-credentials of other owners to establish persistent, mutually trusted, secure sessions executing the above privileged operations;        An e-credential issuer can proof the personal identifying information of an e-credential requester, issuing a digitally sealed e-credential to the requester that attests to the requester's identity.        Users with personal identity devices and e-credentials that have been digitally sealed can thereby establish secure channels among themselves wherein they have positive assurances as to the other party's identity.        
U.S. Pat. No. 7,660,988 by Camechael et al. discloses an electronic notary process (“e-notary”) wherein a notary and client can share a workstation, log onto a remote system, and notarize a submitted document by means of a cryptographic scheme that creates a record of the notarization event in the system's online repository. The present invention makes no claims related to using a centralized database to perform electronic notarization, instead specifying a distributed approach whereby users can attest to (e.g. notarize) each other's electronic documents and credentials using personally held identity devices.
WO2005020542 by Salim Aissi et al. discloses a method that binds a public key to specific hardware with an embedded private key to verify the identity and integrity of the trusted computing device. In contrast, the present invention, by means of a personal identity device held by the device owner, binds personal identities of the owner, including public and private keys associated with each identity, to the owner.
EP 2460307 by Jeffery B. Williams et al. discloses a system and methods for strong remote identity proofing, obtaining biographical information from the individual, and using this information to search public data repositories. No claims related to obtaining biographical information to search data depositories for identities are made herein.
EP 1470534 by Vipin Samar et al discloses a method and apparatus for authenticating an individual's identity by validating a credential and corresponding public key, and comparing biometric data with sample data. No claims are made herein specifying any given biometric scheme or biometric data. Rather, the present invention encapsulates authentication data utilized by biometric mechanisms pre-installed on the personal identity device of the user.
EP 1130491 by Corella et al. discloses a method for structuring a digital certificate comprised of multiple authorization hashes that a relying party can use to access relevant authorization information. The present invention does not claim to create, filter, mask or hash authorization data that relying parties can use to make authorization decisions. In contrast, the present invention creates identities that can be provided to other parties to make authorization decisions outside the context and scope of the present invention.
U.S. Pat. No. 8,127,228 by Cheng et al. discloses a method and a system for electronic document management based on human memory wherein a digital seal is a personalized association mnemonic applied to a document comprised of, for example, icons and text. This prior art does not appear to apply cryptography, while the present invention uses cryptography, creating digital seals that can be visually rendered and cannot be repudiated by the e-credential owner;
U.S. Pat. No. 7,310,734 by Boate et al. discloses an improved network security system, methods and a personal identifier device, used to control network access and real time authentication of a user's identity and presence at a particular network access point. Biometric verification and cryptography is provided on-board the portable personal digital identifier device to provide authenticated digital signatures which are used for establishing secure access to data stored on a network and for performing secure transactions over a network. Biometric authentication is used to verify user presence, and biometric data is used to create digital signatures, subsequently used for secure access. In contrast, the present invention does not perform biometric verification or matching, or use biometric data to create digital signatures, instead holding authentication data, including biometric minutia, within an identity engine, and relying on an authentication control interfaced to a pre-existing biometric module (assumed to be present), to invoke user authentication and thereby establish user persistence.
U.S. Pat. No. 8,019,691 by Dominguez et al. discloses methods and systems for authenticating the identity and validating the profile data of an individual (presenter) who presents him or herself to another party (acceptor) performed online, possibly querying a trusted party for profile data. Although the present invention leverages an equivalent procedure called “identity proofing”, the administrative (human) details of such a procedure are not specified and are incidental to the present claims. The present invention does, however, specify artifacts and methods needed to enable mutually trusted sessions between requesters and issuers when conducting identity proofing, a feature that is not addressed by this prior art.
U.S. Pat. No. 6,401,206 by Khan et al. discloses methods and computer programs for creating a portable digital identity of the individual that may include personal information, data representing the person's handwritten signature, one or more passwords, seals, fingerprints, biometric information, and answers to questions that are composed by the user. The digital identity can be used to bind a verifiable electronic impression with an electronic document using electronic watermarks so that any modification in the document or the electronic impression bound to the document can be detected. The digital identity of a user can be created once and stored after encryption for protection. This digital identity can then be used by the signer to bind a unique instance of an impression of the digital identity to any document. Document and digital identity verification including verifying a cryptographic digital signature that establishes the integrity of the document, enables non-repudiation of origin to the extent that it was signed by the user's private key.
An e-credential does not contain handwritten signature, passwords, biometric data (e.g. fingerprint minutia), answers to user questions, or other such sensitive information because an e-credential is normally disclosed to collaborating parties to support user collaboration. Also, the present invention does not attempt to generate public-private key pairs from personal identifying information to apply a cryptographic signature to documents, choosing instead to create three (3) public-private key pairs, embedding the public keys in the user's e-credential, and retaining the private keys in protected memory store (possibly removable) of the personal identity device which is strongly bound to the user. The present invention uses two of these public-private keys to support secure remote collaboration, which the prior art does not, reserving one of the key pairs for digital sealing and verifying of electronic documents. This prior art discloses that it ensures non-repudiation to the extent that the cryptographic signature was signed by the user's private key. In contrast, the present invention ensures that the private key (the “embossing” key) used to digitally seal an electronic document, is persistently in the custody of the user, thereby elevating non-repudiation strength over this prior art.
Password and PIN-based authentication schemes, despite their acknowledged weaknesses, continue to be used because of their ease-of-use and ease-of-implementation properties. Password-based remote password authentication schemes, including those using Personal Identity Numbers (PINs), have been long-demonstrated to be vulnerable to user masquerade. Local password and PIN-based schemes are less vulnerable as such user secrets are not exposed over intervening networks. However, the all too common practice has been for users to employ the same passwords and PINs for both local and remote access.
Employing a number of fairly straight-forward exploits (e.g. sniffing and social engineering) and readily available software tools for password-cracking, a malicious attacker can defeat traditional PIN and password-based authentication, using the acquired private information (account numbers and identifiers) and user secrets (the PINs and passwords themselves) to fraudulently tamper with online accounts. Risks can be reduced by introducing guidelines for creating stronger passwords, automated procedures for creating non-guessable passwords, augmenting these schemes with non-guessable security questions, incorporating behavioral analysis, detection, automated blocking tools, implementing safer account reset procedures, and elevating user awareness of social engineering attacks and scams providing avoidance advice. Routine reuse of the same and similar passwords and PINs should be prohibited or at least strongly discouraged.
Pioneered by Liberty Alliance and other players in the late 1990s and early 2000s, single-sign-on (SSO) solutions federate identity provisioning and access enabling users to be authenticated in a small number of places, or possibly at a single centralized location. Such approaches can significantly reduce the number of PINs and passwords required, however, they require users to be authenticated online at points of consolidation and centralization that must in turn be networked to achieve deployment on a wide-spread, potentially global scale. The consolidation points present attractive targets for various cyber-attacks.
The present invention promotes a distributed approach for identity acquisition and provisioning that promises to be highly scalable and avoids the above-cited weaknesses of password and PIN-based remote access schemes.
Fingerprint, facial, and iris recognition schemes are commercially viable for deployment on user platforms (e.g. PCs and smart phones). Ma in reports the relative accuracy of available biometrics in terms of false positive rates with facial recognition at 43%, fingerprint at 30%, signature at 28%, voice at 20%, and iris recognition at only 0.47%. This helps explain the growing interest in iris biometrics.
User preferences for biometric schemes, matching accuracy, matching performance, human risks factors, and compatibility with the individual circumstances can vary widely, implying that solutions should offer users a range of biometric options for remote user authentication.
Meanwhile, emerging biometric signatures leveraging the body's venous, nervous and DNA systems are being studied by research institutions and can be expected to emerge over time. This observation suggests that biometric-based identity solutions should be extensible, accommodating add-on biometric technologies in a modular fashion as they emerge.
As users become better informed about the privacy risks posed by global networks, users are also becoming increasingly skeptical about systems that maintain biometric minutia and templates for biometric matching at consolidated and centralized locations. This suggests that biometric authentication schemes should de-centralize biometric capture and matching, putting such sensitive operations in the custody and control of users, that is, within their personal devices.
The inventive subject matter described herein advocates an authentication approach that consolidates biometric minutia (i.e. authentication data), regardless of the type of biometric, into a personal device controlled by the user which enables incorporating a range of biometric options that can be integrated in a modular fashion.
Multi-factor authentication technologies have been emerging and being increasingly advocated. Multiple authentication factors can be applied jointly to reduce the probability of failed authentication due to the compromise or fallibility of any given factor or factors. MFA typically addresses “What the user knows” (PIN, password, responses to questions), “What the user has or holds” (smart card, smart phone, FOB), and “What the user is” (iris, fingerprint, facial and other biometrics). Geo-location and behavioral authentication schemes are also factors that can be incorporated.
Extant solutions include 2-factor authentication schemes for banking that use a PIN and chip card (a smart card), hardware tokens that generate one-time-passwords (OTPs) for remote terminal logon, and smart phone solutions that integrate the text messaging channel of the phone to distribute OTPs to users when using a personal computer.
The inventive material herein accommodates MFA combining device custody, with local PIN/password authentication, and biometric options.
The prior art discloses public key infrastructure (PKI) and digital certificates, an identity technology, introduced to automate the deployment of public-private encryption key pairs for secure communications, message transmission, and document safe-keeping. Digital certificates, conforming to the X.509 standard, include a public encryption key that is paired with a private key stored outside the context of the digital certificate. Tests can be performed to verify that a remote party holds the private key of a public key without having knowledge of the private key. PKI implements a hierarchical trust model wherein certificate authorities successively distribute digital certificates to dependent certificate authorities, Internet servers, and end-user devices. Digital certificates and their corresponding private keys are distributed by certificate authorities to other certificate authorities, to servers, and to end-user devices. Certificate authorities have the option of employing qualified human agents for 3rd party identity proofing and verification.
The present invention improves upon the above features, overcoming the following deficiencies of PKI:                (a) Using qualified independent certificate authorities, effective for verifying and tracking the identity of service providers, does not scale for human beings who outnumber servers by orders of magnitude;        (b) Because public-private key pairs are generated by certificate authorities and subsequently distributed electronically, such key pairs could be vulnerable to compromise during distribution;        (c) Because X.509 digital certificates only specify the certificate holder by a common name or identifier, identities of persons cannot be specified comprehensively for commercial and other such applications;        (d) Digital certificates do not readily bind with other personal identifying information of an owner such as digital photographs or personal identifying information (e.g. passport, driver's license, certifications);        (e) Although digital certificates enable relying parties to verify that the digital certificate owner has the private key that matches the public key of a digital certificate, PKI does not incorporate personal identifying information that reliably distinguishes the certificate owner from other users;        (f) PKI does not provide assurances that the private key is strongly bound to the certificate owner;        (g) PKI does not incorporate identity proofing and binding capabilities that provide objective evidence to relying parties that an independent party has attested to the identity of the digital certificate holder;        (h) Because X.509 certificates are associated with a single public-private key pair, typically multi-purposed (e.g. used for digital signing, encryption, email, FTP, etc.), the risks of encryption key compromise are elevated over other approaches.        
Finney et al discloses Pretty Good Privacy (PGP) which was introduced to automate the deployment of public-private key pairs among persons (peer-to-peer) to secure communication channels, transmitted messages, and documents among PGP users. In contrast to PKI, PGP implements a web of trust model wherein individuals issue digital certificates to each other. An end-user, having installed the PGP software on their personal computer, creates an X.509 digital certificate containing a single public key with matching private key stored on the user's computer. PGP enables an informal process whereby a first user can send such a certificate to a second PGP user who digitally signs and returns the certificate to the first user. By retaining the single private key of a digital certificate within the owner's computing device, PGP reduces the risk of exposing and compromising this private key. This approach for creating and sharing digital certificates can be replicated among users with PGP software on their computing devices. PGP users can present one or more signed digital certificates to relying parties (users), elevating identity assurances when presented to other parties.
The present invention improves upon the above features, overcoming the following deficiencies of PGP:                (a) Because X.509 digital certificates only specify the certificate holder by a common name or identifier, identities of persons cannot be specified comprehensively for commercial and other such applications;        (b) Digital certificates do not readily bind with other personal identifying information of an owner such as digital photographs or personal identifying information (e.g. passport, driver's license, certifications);        (c) Although digital certificates enable relying parties to verify that the digital certificate owner has the private key that matches the public key of a digital certificate, PGP does not incorporate personal identifying information that reliably distinguishes the certificate owner from other users;        (d) PGP does not provide assurances that the private key is strongly bound to the certificate owner;        (e) PGP does not incorporate a formal identity proofing process whereby relying parties are provided objective evidence of a user's identity;        (f) Because X.509 certificates are associated with a single public-private key pair, typically multi-purposed (e.g. used for digital signing, encryption, email, FTP, etc.), the risks of encryption key compromise are elevated over other approaches.        